Slashdot Mirror

← Back to Stories (view on slashdot.org)

Vulnerability In Font Processing Library Affects Linux, OpenOffice, Firefox (softpedia.com)

Posted by timothy on from the well-stop-using-fonts dept.

An anonymous reader writes: If an application can embed fonts with special characters, then it's probably using the Graphite font processing library. This library has several security issues which an attacker can leverage to take control of your OS via remote code execution scenarios. The simple attack would be to deliver a malicious font via a Web page's CSS. The malformed font loads in Firefox, triggers the RCE exploit, and voila, your PC has a hole inside through which malware can creep in.

4 of 95 comments (clear)

  1. Current version of Firefox is not vulnerable by Anonymous Coward · · Score: 5, Informative

    Known Vulnerable Versions:
    Libgraphite 2-1.2.4
    Firefox 31-42

    source: http://blog.talosintel.com/2016/02/vulnerability-spotlight-libgraphite.html

    1. Re:Current version of Firefox is not vulnerable by buchner.johannes · · Score: 5, Informative

      in the meantime, you can set gfx.font_rendering.graphite.enabled to False

      --
      NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
  2. Hyperbole? Much? by Viol8 · · Score: 5, Insightful

    FTA:

    "The worst is an out-of-bounds read bug (CVE-2016-1521) that allows attackers to crash the system"

    Err no. It'll crash the browser (or whichever userspace program is using the library). Thats a bit different to crashing the kernel.

    Bring back the X Font Server and get off my lawn!

  3. Re:gfx.font_rendering.graphite.enabled by gustygolf · · Score: 5, Informative

    Or disable web fonts. No attack vector that way.

    gfx.downloadable_fonts.enabled = false

    --
    "Slow Down Cowboy! It's been 58 minutes since you last successfully posted a comment" -- slashdot, driving users away.